Privacy in the digital era has become a hot topic. Headlines about data breaches, fake news, and even election tampering have become part of our day-to-day as we continue to consume and share content on social media sites. After many years of inaction, government entities are beginning to enact legislation to improve protections for internet users, starting with the landmark General Data Protection Regulation (GDPR) passed by the EU. For marketers, understanding the impact of these new regulations can be confusing and complex.
In 2018 California adopted a series of consumer privacy regulations collectively known as the California Consumer Privacy Act of 2018 (CCPA). These laws intend to strengthen consumer protections including but not limited to the use of data collected by internet services, including Social Media, Search Engines, Advertising technology, and internet connected devices. The CCPA will go into effect as of January 1, 2020.
While EU companies are subject to the more narrowly defined General Data Protection Requirements (GDPR) which also went into effect in 2018, the CCPA represents the strongest internet privacy law currently in place in the United States. With most internet platform providers located in California, this effectively governs consumer data protection nationwide, and affects platforms such as Google, Facebook, LinkedIn, as well as most programmatic advertising platforms.
With the explosion in popularity of digital media, consumer data has proliferated across a multitude of platforms and data services. Since provision of consumer data is often requisite to the usage of these platforms, consumers often are required to give access to potentially sensitive data in order to access common features such as email, or to engage with others on a social media platform.
This data is often stored, sold, packaged and distributed across first and third-parties, often for ad targeting and content personalization. Most internet service providers rely on revenue generated by selling this data to advertisers. Prior to the CCPA, little-to-no regulation exists to govern the storage, sharing, and distribution of consumer data. Additionally, it is difficult for consumers to control this data, view what data is stored, grant or revoke access to it, or trace the data through third parties.
The CCPA sets out to define clear rules on how consumer data may be stored, gives consumers the right to obtain clear visibility into data collected about them, and the right to control how that data is used for commercial purposes CCPA also defines the compliance framework for business which collect and store consumer data.
Key Provisions:
Right to know what Consumer data is being collected
Consumers must be able to request and obtain data being collected about them; companies must disclose what data they are collecting upon request.
Right to know what Consumer data is being sold, and to Whom
Consumers must be able to request and obtain whether the data being collected about them is being sold; companies must disclose to whom consumer data is being sold upon request.
Right to say no to Consumer data being sold
Consumers shall have the right to direct a company not to sell data being collected about them; companies shall comply upon request.
Right to Equal Service and Price
Companies may not restrict or modify services based on a Consumer’s request to obtain or restrict Consumer data. Companies may not charge fees to Consumers in order to request or obtain Consumer data.
Companies may be subject to civil suit for damages, as well as fines ranging from $1,000 – $3,000 per incident.
For most companies with a typical corporate web presence, first-party Consumer data collection is limited. Most internet usage data collected on a commercial web site is anonymous and not personally-identifiable, and most companies rely on third-party data platforms such as Google Analytics to collect Consumer data, and this data is not stored with the Company. Data platforms are required to provide obvious links consumers can use to make requests for their data, as well as provide the appropriate disclaimers.
In the event a business self-hosts an application which collects first-party consumer data, the company must be in compliance with the provisions above.
The main effects being:
An easily visible link or toll-free phone number which allows Consumers to request their data or direct the company not to sell it.
Updates to the terms-of-service for the web site or application disclosing compliance with the CCPA.
Internal processes to facilitate the retrieval and response to Consumer data requests.
While many marketers may avoid negative impacts due to these new regulations, it’s critical to understand the impacts. Compliance may be simply a matter of following simple guidelines, updating legalese, and implementing common-sense data governance rules, and savvy marketers will be able to continue executing on their digital programs without risk of running against these regulations.
Matthew Lee is President of Motionstrand, a Digital Customer Experience Agency based in North San Diego County. Motionstrand works with brand, media and client partners to deliver exceptional CX for the Healthcare, Pharma, and Medical Device space.